image
Twitter has shuttered two accounts – @lagal1990 and @shiftrows13 – specifically used to trick security researchers into downloading malware in a long-running cyber-espionage campaign attributed to North Korea. The campaign was first discovered by the Google Threat Analysis Group (TAG) in January and is ongoing. On Friday, Google TAG analyst Adam Weidermann confirmed that Twitter suspended the accounts as part of the operation. This is the second time that Twitter has taken action against accounts linked to the Democratic People’s Republic of Korea (DPRK), having suspended another account connected to the espionage campaign in August. “We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year,” Weidermann said. “In the case of @lagal1990, they renamed a GitHub account previously owned by another of their Twitter profiles that was shutdown in Aug, @mavillon1.” We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shutdown in Aug, mavillon1 pic.twitter.com/FXQ0w57tyE — Adam (@digivector) October 15, 2021 The Sweet Smell of Bugs and Bug-Hunting As Weidermann detailed in his January analysis, the threat actors set up a “research” blog and used the Twitter profiles to disseminate links to it in order to pull in potential targets. They also used the accounts…

Source

image
The cybercriminals behind the infamous TrickBot trojan have signed two additional distribution affiliates, dubbed Hive0106 (aka TA551) and Hive0107 by IBM X-Force. The result? Escalating ransomware hits on corporations, especially using the Conti ransomware. The development also speaks to the TrickBot gang’s increasing sophistication and standing in the cybercrime underground, IBM researchers said: “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.” The TrickBot malware started life as a banking trojan back in 2016, but it quickly evolved to become a modular, full-service threat. It’s capable of a range of backdoor and data-theft functions, can deliver additional payloads, and has the ability to quickly move laterally throughout an enterprise. According to IBM, the TrickBot gang (aka ITG23 or Wizard Spider) has now added powerful additional distribution tactics to its bag of tricks, thanks to the two new affiliates. “Earlier this year, [the TrickBot gang] primarily relied on email campaigns delivering Excel documents and a call-center ruse known as BazarCall to deliver its payloads to corporate users,” IBM researchers said in a Wednesday analysis. “However…the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of…

Source

image
The St. Louis Post-Dispatch newspaper recently found a huge security blunder: The Missouri educational agency’s site was displaying 100,000+ clearly visible Social-Security numbers for school teachers, administrators and counselors in its HTML source code. The newspaper verified its findings with a cybersecurity professor and then informed the agency responsible for the leaking site – the Department of Elementary and Secondary Education (DESE) – on Tuesday. On the same day, the DESE took down the affected pages. Then, on Wednesday, having waited to disclose the vulnerability until after the pages came down, the outlet published its story. The next day, on Thursday morning, a naked emperor shot the messenger, as Missouri Gov. Mike Parson threatened legal action against whoever found the vulnerability and whoever may have helped them. Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE — Governor Mike Parson (@GovParsonMO) October 14, 2021 He called the unnamed journalist a “hacker,” vowed to sic the courts on the individual and said the state would try to recoup incident-response costs that might cost taxpayers “as much as $50 million.” A Quick Tutorial in How to Become a Source-Code-Sniffing ‘Hacker’ “Through a multistep…

Source

image
When Township High School District 214 in Illinois got rickrolled all at once across its six different schools just before graduation, it was more than a meticulously executed senior prank. Cybersecurity star-in-the-making and recent high-school graduate Minh Duong found, and was able to exploit, a zero-day bug in the district’s Exterity IPTV system. The goof was received in good humor by school administrators, luckily for Minh and his cohorts, and the bug was reported to Exterity. But so far, the company hasn’t responded to Minh’s disclosure or said anything about possible mitigations, he said. “If I don’t end up hearing back from them in my next few attempts at contact, I will publish the exploit that I used,” he told Threatpost. “CVE-2021-42109 has been reserved for the Exterity IPTV privesc vulnerabilities, with my blog post being listed as a reference.” “The Big Rick,” as the prank was called, came off beautifully — hijacking every TV, projector and monitor on the district’s IPTV system to play Rick Astley’s classic video for “Never Gonna Give You Up.” Projectors and TVs across the Township district are all connected, and can be controlled through a blue box with three Exterity tools: The AvediaPlayer receiver, the AvediaStream encoder and the AvediaServer for management. “These receivers include both a web interface and an SSH server to execute the serial commands,” he wrote. “Additionally, they run embedded Linux with BusyBox tools, and use some obscure CPU…

Source

image
On Wednesday, Verizon’s Visible – an all-digital, uber-cheap wireless carrier – confirmed what customers have been complaining about on Reddit and Twitter all week: They lost control of their accounts; had their passwords and shipping addresses changed; and some got stuck with bills for pricey new iPhones. The carrier denied suffering a data breach. Rather, on Wednesday, it described what sounds like a credential-stuffing attack: Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers. Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services. Protecting customer information — including securing customer accounts — is critically important to our company and our customers. As a reminder, our company will never call and ask for your password, secret questions or account PINs. If you feel your account has been compromised, please reach out to us via chat at visible.com. —Visible’s Wednesday statement, posted to Reddit Reach out via chat?…

Source

image
On Wednesday, the_ St. Louis Post-Dispatch _ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the "hackers" and anyone who aided the publication in its "attempt to embarrass the state and sell headlines for their news outlet." Missouri Gov. Mike Parson (R), vowing to prosecute the St. Louis Post-Dispatch for reporting a security vulnerability that exposed teacher SSNs. The Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials, and that more than 100,000 SSNs were available. The Missouri state Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its website Tuesday after being notified of the problem by the publication (before the story on the flaw was published). The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site's public code using Developer Tools or simply right-clicking on the page and viewing the source…

Source

image
Pyramid-scheme cryptocurrency scammers are exploiting Apple’s Enterprise Developer Program to get bogus trading apps onto their marks’ iPhones. So far, so good: They’ve made off with at least $1.4 million in ill-gotten gains so far. That’s according to Sophos Labs, which observed the scam making the rounds on dating sites. “They strike up a friendship, using the dating game as a ruse, but then quickly move to money, this time in the guise of them doing you a big favor by offering you a chance to join an ‘unbeatable’ investment opportunity,” researchers said in a Wednesday posting. That investment opportunity involves cryptocurrency trading, with the offer to invest money into cryptocoins in order to reap big profits. To lend a veneer of legitimacy, the crooks offer an “official” iPhone app, purportedly approved by Apple. “The App Store, like Google’s Play Store equivalent for Android, is by no means immune to malware, fleeceware and other badware apps,” Sophos researchers pointed out. “But totally bogus cryptocurrency trading apps, based on totally bogus trading platforms, rarely make it through.” So instead, they scammers are using a loophole that allows enterprise mobile device management (MDM) programs to control corporate-owned iOS devices, according to Sophos’ analysis, via Apple’s Enterprise Developer program – specifically, the Apple Enterprise/Corporate Signature feature. As the firm explained in its report: “Companies who enroll staff devices into Apple’s remote…

Source

image
A recent report found that two-thirds, or 67 percent, of surveyed organizations have suffered a ransomware attack, about half have been hit multiple times, and 16 percent have been hit three or more times. According to Fortinet’s Global State of Ransomware Report 2021 (PDF), released last week, most organizations report that ransomware is their top most concerning cyber-threat. That’s particularly true for respondents in Latin America, Asia-Pacific and Europe-Middle East-Africa, who report that they’re more likely to be victims than their peers in the U.S. or Canada. That’s in spite of the fact that the majority of respondents feel prepared and report having a strategy that includes employee cyber training, risk assessment plans, offline backups and cybersecurity/ransomware insurance. “There’s a disconnect … between the feelings of preparedness [and the high rate of attack],” said Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet’s FortiGuard Labs. “There’s a lot of confidence, [with organizations reporting] that they’re prepared to deal with the ransomware attack when it happens. But if we look at the tools and plans that they currently have in place through the survey, there seems to be a disconnect in terms of the technical capabilities and services that are available.” Derek Manky In other words, Manky says, “It’s one thing to have something on paper. It’s another thing to actually test it and put it to a plan.” Manky visited the Threatpost…

Source

image
Threat group FreakOut’s Necro botnet has developed a new trick: infecting Visual Tools DVRs with a Monero miner. Juniper Threat Labs researchers have issued a report detailing new activities from FreakOut, also known as Necro Python and Python.IRCBot. In late September, the team noticed that the botnets started to target Visual Tools DVR VX16 4.2.28.0 models with cryptomining attacks. The devices are typically deployed as part of a professional-quality surveillance system. A command injection vulnerability was found in the same devices last July. Visual Tools has not yet responded to Threatpost’s request for comment. “The script can run in both Windows and Linux environments,” the Juniper report said. “The script has its own polymorphic engine to morph itself every execution which can bypass signature-based defenses. This works by reading every string in its code and encrypting it using a hardcoded key.” FreakOut has been on the scene since at least January, exploiting recently identified and unpatched vulnerabilities to launch distributed denial-of-service (DDoS) and cryptomining attacks. Juniper reports that the threat actors have developed several iterations of the Necro bot, making steady improvements in its performance and persistence over the past several months. “We have noted a few changes on this bot from the previous version,” the report said. “First, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it…

Source

image
Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers. Brizy (or Brizy – Page Builder) has been installed on more than 90,000 sites. It’s billed as an intuitive website builder for those without technical skills. It comes with a collection of more than 500 pre-designed blocks, maps and video integration and drag-and-drop design functionality. According to researchers, it also came with a stored cross-site scripting (XSS) issue and an arbitrary file-upload vulnerability prior to version 2.3.17. These two bugs, when combined with another flaw that allows authorization bypass and privilege escalation, can become dangerous, Wordfence researchers cautioned. “During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. “This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained. In a combo with the stored XSS bug, any logged-in user would be able to modify any published post and inject malicious JavaScript to it. A pairing with the…

Source